Reputation: 21661
Access token doesn't contain all the requested scopes
I have an angular application and an DotNet core web api application. The web api exposes 2 permissions. The angular has susbscribed to those permissions (see screenshot).
In the code, I tried this
export const loginRequest: { scopes: string[] } = {
//scopes: ['user.read', 'openid', 'profile'], //--> I commented out this line.
scopes: []
};
export const tokenRequest: { scopes: string[] } = {
scopes: ['api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access',
'api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write']
};
consentScopes: [
...loginRequest.scopes,
...tokenRequest.scopes,
],
The access token contain the scopes I didn't ask for, but it is not returning what I asked.
How do I get the 2 scopes I've requested?
Thanks for helping
EDIT 1
Here's the configuration
auth: {
clientId: '78803184-e866-4966-b372-d98b4feae898',
authority: "https://login.microsoftonline.com/{tenantId}/",
validateAuthority: true,
redirectUri: "http://localhost:4200/",
postLogoutRedirectUri: "http://localhost:4200/",
navigateToLoginRequestUrl: true,
}
EDIT 2
This is are the requested scopes now. I've removed all the related graph, such as user.read, openid, and profile.
{
popUp: !isIE,
consentScopes: [
"api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Access",
"api://da8b9450-d9b7-4b7f-9667-fdae9a7c8359/API.Write"
],
unprotectedResources: ["https://localhost:5001"],
protectedResourceMap,
extraQueryParameters: {}
}
I'm still receive the same scopes, i.e. even after the client to the list of clients for the API.
However, I looked at the request being sent to AZURE AD. This is how it looks like. According to this request, I'm still requesting user.read, openid, and profile although I removed them from the list of requested scopes.
Request URL: https://login.microsoftonline.com/313200b5-a917-47d1-2233-149b07d5d7b5/oauth2/v2.0/authorize?
response_type=token&scope=user.read openid profile&client_id=78803184-e866-54e3-b200-d98b4feae898
&redirect_uri=http://localhost:4200/
&state=eyJpZCI6IjMwZDJkOGNkLTM2NWUtNGMwOS1iYWY1LTcyZWYyMTU0YWE5ZSIs
InRzIjoxNjExNTUwMDUxLCJtZXRob2QiOiJzaWxlbnRJbnRlcmFjdGlvbiJ9
&nonce=6f25b4e0-71f7-4cde-abf4-cb5545d2507e
&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4
&[email protected]
&client-request-id=a68ef0b3-111b-4b1c-a3e7-cdcb075516ca
&prompt=none&response_mode=fragment
EDIT 3
I found this line of code
const GRAPH_ENDPOINT = 'https://graph.microsoft.com/v1.0/me';
getProfile() {
this.http.get(GRAPH_ENDPOINT)
.toPromise().then(profile => {
this.profile = profile;
});
}
Upvotes: 1
Views: 2154
Answers (1)
Reputation: 9549
Move comment to answer:
Like I said in the comments, what you get is the ms graph api token, which only contains the scope of ms graph api. A token cannot contain the scope of two apis. If you need to get the scope of a custom api, you should get another token.
The access token is issued according to the api audience you want to access, and it is unique! A token can only have one audience, and you cannot use multiple scopes to request access tokens.
One sentence summary: You cannot make an access token contain API.Access API.Write User.Read scp claims at the same time, because these are the scope of two completely different APIs.
Upvotes: 2
Related Questions
- Scope is not being added to Access Token returned from Azure Ad
- Not getting token with acquireTokensilent but getting tokens with acquireTokenpopup Msal-browser
- Passport-Azure-AD not validating access_token from MSAL Angular authentication
- Not able to get tokens / msal objects in angularJS after successful login for AzureAD
- Azure AD WebAPI return Not Authorization even with request passes an access token from Angular client
- Problem with authenticating Azure AD tokens at Web API
- Retrieve Access Token within a AAD secured Azure Web App
- Access Token do not include access for API with MSAL
- Angular 2 SPA Azure Active Directory JWT Issue
- Azure AD 2.0 application - can't access scope from angular client